Why malware authors keep using the same old Microsoft Office exploits

Office exploitsSophosLabs Principal Malware Researcher Gabor Szappanos has closely studied Microsoft Office exploits for the past few years. We’ve previously covered his investigation of the Microsoft Word Intruder exploit creation kit, and his recent paper exploring the most popular Office exploit kits.

In a new research report, Gabor takes a closer look at the top four Office exploit kits used in the last quarter of 2015. He also reports which exploits were most commonly used in malicious documents, and shows us what families of malware were distributed by the studied samples.

As Gabor explains, malware authors are increasingly attracted to document exploits as the initial entry point for their attacks. The attackers spread their booby-trapped Office documents through phishing emails spammed out to large numbers of random recipients (cybercrime groups), or to a more select list of targets (APT groups).

Notably, the majority of Office exploits malware authors have been using in malicious documents are now several years old. The most popular exploit, CVE-2012-0158, has been around for well over three years now.

Continue reading

Location-based threats: How cybercriminals target you based on where you live

Geo-malwareMuch like legitimate businesses, cybercriminal enterprises have to be dynamic – standing still means falling behind. A significant example of how cybercriminals are evolving is the growing trend of location-based targeting, through what we call “geo-malware” and regionalized email attacks.

Traditionally, we think of online threats in terms of highly targeted attacks on the one hand and opportunistic cash grabs on the other hand. Nation-state sponsored or advanced persistent threat (APT) attackers target specific individuals or organizations, and the more common, financially motivated digital thieves take an “infect them all” approach.

Our SophosLabs research shows that way of thinking is becoming outdated, as APT attackers and common cybercrooks learn and borrow techniques from one another.

Common online crooks have learned how to become more efficient and increase their yield per victim by targeting individuals based on their specific country, using a variety of methods. Here I will go into a few of them: geo IP lookups; traffic direction services; and email targeting. I will also explain how and why cybercrooks avoid certain countries.

Continue reading

SophosLabs investigates the most popular Microsoft Office exploit kits

SophosLabs Office exploitsMalware authors have been using Microsoft Office document exploits for quite some time, but in the past couple of years, document malware has experienced a resurgence.

Typically, exploited documents are attached to email messages and sent out to large numbers of random recipients (in the case of cybercrime groups) or a smaller number of selected targets (in the case of APT groups).

Office exploit generators play a crucial role in making Office exploitation available to common cybercriminals. However, despite their significance, most Office exploit kits have not been covered in detail.

In a new research paper, SophosLabs Principal Malware Researcher Gabor Szappanos analyzes some of the most impactful Office exploit generators.

Continue reading

How to stay protected against ransomware

RansomwareIf there’s one thing we know about cybercrooks, it’s that they are persistent. When they find a formula that works, they’ll keep on using and improving upon that formula until it no longer gets the job done.

Ransomware that hijacks your files and locks them up using unbreakable encryption has been quite successful for the crooks, making it a widespread and major threat for home users and businesses alike. If you don’t have preventative measures in place and get hit with ransomware, one way or another you will end up paying the price.

In recent months we’ve seen new strains of ransomware crop up that show the problem isn’t going away any time soon. The nasty ransomware known as Locky has been infecting Windows computers through malicious email attachments. There’s even ransomware targeting AndroidLinux and Mac.

In light of this ongoing threat, Sophos has created a new resource showing you How to stay protected against ransomware. It’s an easy-to-follow guide offering best practices for keeping your data secure, including how to configure your security, train your staff, and back up your files.

Continue reading

Sophos storms RSA Conference with talks on Google Play insecurity, regionalized malware, and more

RSA 2016Cybersecurity is one of the hottest industries right now, as hacking and spying stories hit the headlines every day. Lots of people will be paying attention to the news coming out of RSA Conference 2016, taking place 29 February to 4 March, in San Francisco.

Sophos has a huge presence at RSA this year, from our friendly team members staffing our booth (N3101) in the exhibition hall, to our brightest security experts giving keynote talks in front of big crowds.

We’re also showing off our innovative products, like the one-of-a-kind XG Firewall with Sophos Security Heartbeat, our industry-leading next-generation endpoint, and the advanced threat detection capabilities of our unique, next-gen sandboxing technology called Sophos Sandstorm.

Continue reading

Sophos just won the AV-Test Award for best Android protection in 2015

Android Protection AwardIn my job at SophosLabs, where I’m in charge of working with the independent testers who examine and rate our security products, I deal with a lot of statistics. Here are a few numbers that make me especially proud of the work we do.

Out of roughly 25 Android security applications tested throughout 2015 by AV-Test, only one achieved a perfect 100% protection score for the whole year, across six tests in all – Sophos Mobile Security.

In recognition of our perfect protection scores, AV-Test has given us its Best Protection Award for Android Security at the 2015 AV-Test Awards.

It’s quite an accomplishment when you consider how many malicious Android apps we were asked to protect against – a total of 29,030 samples for the year, all of which we detected and blocked.

Continue reading

Watch SophosLabs experts present their research on Hacking Team, PDF malware and APTs

sophoslabs-150You might not have had a chance to make it to Budapest, Hungary for the Hacktivity 2015 conference, to see live presentations by some of our crack team of SophosLabs researchers.

Well, now we have videos from the event, so you can see three of our researchers give their talks, almost as if you were there! Their presentations cover some interesting topics.

Attila Marosi gives us an introduction to the Hacking Team malware exposed last year by a breach of the Italian hacking-for-hire company. Jason Zhang investigates new techniques used in recent PDF malware campaigns. And Gábor Szappanos analyzes and compares different malware authors on the advanced persistent threats (APT) scene.

Continue reading